GT500

Emsisoft Employee
  • Content Count

    13481
  • Joined

  • Days Won

    420

Posts posted by GT500


  1. Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

    Link 1

    Link 2

    * IMPORTANT !!! Save Combo-Fix to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
      See HERE for help
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    RcAuto1.gif

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    whatnext.png

    Click on Yes, to continue scanning for malware.

    When finished, ComboFix will produce a log.

    Note:

    1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

    2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

    Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

    • ComboFix (C:\combofix.txt)

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!


  2. Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

    Link 1

    Link 2

    * IMPORTANT !!! Save Combo-Fix to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
      See HERE for help
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    RcAuto1.gif

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    whatnext.png

    Click on Yes, to continue scanning for malware.

    When finished, ComboFix will produce a log.

    Note:

    1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

    2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

    Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

    • ComboFix (C:\combofix.txt)

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!


  3. hiijack

    OK, I thought those looked like entries from a HijackThis log. Due to the fact that it hasn't been updated in a very long time, I recommend avoiding HijackThis. It was a great utility back in the day, unfortunately that day came and went a long time ago.

    Good alternatives to HijackThis include Emsisoft HijackFree (which comes with Emsisoft Anti-Malware), Autoruns from Microsoft, RunAlyzer from Safer Network. There are a few other good ones as well, however I don't have a list of them. Also, please note that I don't actually need logs from any of these utilities, and that if you don't know what the various entries listed in these programs do then I highly recommend not using them to make any changes to your system configuration.

    Don't worry about not saving the Panda log. Go ahead and get me a fresh ComboFix log (download a fresh copy of ComboFix from one of these links: Link 1 / Link 2 and always make sure to disable your anti-virus software before running it) and let me know if your computer is still having any troubles (such as not being able to start in Safe Mode, weird popups or error messages, etc).


  4. Before I get on to the fix script I wrote, I noticed a couple of PDF files saved in your Documents folder about 4 hours before a folder related to the infection that I am seeing in your log was created. These PDF files are named 02-09-2012.pdf and 01-10-2012.pdf and I was wondering if you could upload each of them to VirusTotal at this link and post the links to the analysis of each file for me to look at.

    And now on to the fix script. ;)

    I have written a cleanup script for OTL (if you need to, you may download OTL from this link).

    1. Please copy the contents of the following CODE box, and in OTL under the Custom Scans/Fixes box at the bottom, paste in what you just copied from the following CODE box:
      :OTL
      O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
      O4 - HKCU..\Run: [MicrosoftUpdate] C:\Users\Hussein\Documents\MSDCSC\msdcsc.exe File not found
      O4 - HKLM..\RunOnceEx: [Flags] Reg Error: Invalid data type. File not found
      O4 - HKLM..\RunOnceEx: [Title] UnHackMe Rootkit Check File not found
      O18:[b]64bit:[/b] - Protocol\Handler\intu-help-qb3 - No CLSID value found
      O18:[b]64bit:[/b] - Protocol\Handler\livecall - No CLSID value found
      O18:[b]64bit:[/b] - Protocol\Handler\msnim - No CLSID value found
      O18:[b]64bit:[/b] - Protocol\Handler\qbwc - No CLSID value found
      O18:[b]64bit:[/b] - Protocol\Handler\skype-ie-addon-data - No CLSID value found
      O18:[b]64bit:[/b] - Protocol\Handler\wlmailhtml - No CLSID value found
      O20:[b]64bit:[/b] - HKLM Winlogon: UserInit - (C:\Users\Hussein\Documents\MSDCSC\msdcsc.exe) -  File not found
      O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
      O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
      [2012/03/04 19:37:34 | 000,000,000 | ---D | C] -- C:\ProgramData\Windows
      @Alternate Data Stream - 103 bytes -> C:\ProgramData\Temp:76650B61
      
      :Commands
      [EMPTYTEMP]


    2. Then click the Run Fix button at the top.
    3. Let the program run unhindered, restart your computer when it is done (it may automatically restart your computer on its own).
    4. After your computer has restarted, please open OTL again and click the Quick Scan button. Attach the log it produces in your next reply (just the OTL log, as I don't need to see the Extras log again). You will need to click the button that says More Reply Options to the lower-right of where you type your reply to be presented with the attachment controls.


  5. i solved the problem

    Caused By Driver: fltmgr.sys? what this

    You'll find file information here. Essential it is a Windows system file. May have gotten damage/corrupted by the infection. Do you have your Windows disk? Running the System File Checker may be a good idea, just in case, however it will require a Windows disk for your version of Windows. ComboFix didn't show any system files failing a signature check, so theoretically your system files are OK, however it may be a good idea to run it just in case.

    Another alternative is simply to reinstall the last Service Pack, which for Windows XP would be Service Pack 3.

    How did you fix the Blue Screen error? Did you run the System Restore?


  6. OK, that is a good sign. You can run a Full Scan with Malwarebytes' Anti-Malware on your other hard drives if you wish, in order to check and see if it detects anything. You may also want to run a Deep Scan with Emsisoft Anti-Malware as well (making sure to check those extra drives).

    Other than possibly a few infected files on your other hard drives, I don't think your system is still infected, so here's some final instructions for you:

    1. Make Sure Java is Updated:

    1. Click on the
      Start
      button.

    2. Click on
      Control Panel
      .

    3. Click
      Uninstall a program
      .

    4. Look for Java in the list (should be alphabetical), and uninstall all versions of Java that you find listed.

    5. Click on
      this link
      and download and install the latest Java (the
      Windows Online
      download will be faster).

    2. Make Sure Adobe Flash is Updated:

    1. Click on
      this link
      and download the latest version of Adobe Flash Player for your web browser.

    2. You will need to close your web browser when installing Flash.

    3. Make Sure Your Computer Has The Latest Windows Updates:

    1. Click on the
      Start
      button.

    2. Go to
      All Programs
      .

    3. Click on
      Windows Update
      .

    4. Click
      Check for updates
      in the menu on the left (should be near the top).

    5. Once it is done checking for updates, click the
      Install updates
      button on the right.

    6. Make sure that if your computer wants to restart after the updates are done, that you allow it so.

    4. Web Of Trust Extension:

    While this is not a requirement, I highly recommend that you click
    this link
    and check out the Web Of Trust extension for your web browser. It will add an extra layer of protection to your web browsing for free, and it is especially helpful when doing searches on Google, Yahoo!, Bing, etc. as it will point out what sites are considered trustworthy and what sites are not by drawing a colored circle to the right of each search result. Green means trusted, red means not trusted, yellow is in between, and white means it is not in Web Of Trust's database.

    5. Empty The System Restore:

    1. Click on the
      Start
      button.

    2. Right-click on
      Computer

    3. Select
      Properties
      from the list.

    4. In the window that pops up, click on the
      System protection
      link in the menu on the left.

    5. The buttons may not be clickable for a few moments, but once you can click on them select the drive in the list near the bottom that shows protection is on (this will usually be you
      C:
      drive) and click the
      Configure...
      button.

    6. Click the button near the bottom-right that says
      Delete
      to clear all System Restore data.

    7. Once finished, click
      OK
      to close that window.

    8. Now you will want to make sure that the correct drive is selected again (usually your
      C:
      drive) and click on the
      Create
      button to create a new restore point.

    9. Fill in a name for the restore point, and click the
      Create
      button.

    10. Once it is done, you can close the windows that were opened to get to the System Restore settings.


  7. You're welcome. I'm sorry we couldn't be of more assistance in getting it fixed.

    A good repair shop will have utilities such as customized BartPE disks or UBCD4Win disks where they can run all sorts of anti-virus scans from a bootable CD. Theoretically they will also have techs capable of looking at your system and manually removing anything that anti-virus software is missing.

    Since it appears that the need for this topic is now over, I'm going to go ahead and close it. If you require any further assistance, then please let me know. This topic can be reopened at any time. ;)

    Note: The instructions in this forum topic have been customized based on the logs posted by the person asking for assistance. Please do not attempt to follow any of the instructions in this forum topic, as they could cause damage to your computer. If you require assistance, please start here if you believe your computer is infected, and one of our experts will be happy to assist you by analyzing your logs.


  8. 120 NameServer {E255FD21-46B6-4963-9EA9-18E320EFD851} : 208.67.222.222,208.67.220.220,8.8.8.8,8.8.4.4?

    !!!!! can you explain to me what this line mean

    That is a list of the DNS servers that your computer will ask for a list of what domain names map to what IP addresses. For more information, here's a link to an article on DNS.

    O23 - Service: Unsigned Themes (UnsignedThemes) - The Within Network, LLC - C:\WINDOWS\UnsignedThemesSvc.exe

    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - REDC - (no file)

    O4 - Startup: AdFender.lnk = C:\Program Files\AdFender\AdFender.exe

    Did you run HijackThis, or were those in your OTL log?

    That file appears to be a legitimate part of AdFender.

    I assume you are still not able to start your computer normally? If so, then let me know if you are able to uninstall your software from PCTools while Windows is running in Safe Mode. One of their drivers is one of the ones failing on startup, and it is possible that one of their drivers was corrupted.


  9. I'm sorry, I forgot to ask you for a copy of the memory dump from the blue screen error.

    Here is a link to an article from Microsoft on memory dumps in Windows XP. You may need to upload it to a service such as RapidShare due to the large size of memory dump files. Note that you can send me the link to download the dump file via a private message on our forums if you do not want to post it publicly.


  10. I'm ignoring the RunScanner log for now. Please stick to the utilities I specifically ask you to run, as extra logs will just make this take longer, and may not actually help. ;)

    That ComboFix log looks good. I don't think your computer is still infected. My understanding is that the only issue remaining is this BSOD on startup, correct? I'm waiting for our developers to take a look at that one, however I did notice in your ComboFix log that you have a lot of security software installed. Could you give me a list of everything that is running protection on startup?


  11. Considering the nature of the infection on your computer, it is possible that it is infected with a rogue. Rogues pretend to be antivirus software claiming that your computer is infected, and usually trying to get you to pay money to remove whatever they claim they detected. In reality, the rogue is the infection, and just allow Microsoft Security Essentials to finish its scan and then remove anything it finds.

    You may also want to try Malwarebytes' Anti-Malware again after Microsoft Security Essentials is done.

    Do you have access to a good computer with a CD burner? It may be necessary to use a bootable anti-virus disk to clean this infection up.


  12. I'm sorry, you did give me a GMER log earlier. Lets try a scan with Malwarebytes' Anti-Malware. Please run a scan with Malwarebytes' Anti-Malware by following the instructions below:

    1. Please download and install Malwarebytes' Anti-Malware from one of the three mirrors listed below (beware of excessive advertising on some of the download pages):

    [*] When first running Malwarebytes' Anti-Malware, it will ask you if you want to operate it in a free trial mode. You can say no to this (the trial can be unlocked again at a later time if you want to try it).

    [*] Make sure to go to the Update tab and click the Check for Updates button to get the latest database.

    [*] Switch back to the Scanner tab and run a Quick Scan.

    [*] When it is done, remove anything it finds.

    [*] Whether or not it finds anything, you should be presented with a log in Notepad, which you should save to your desktop.

    [*] Attach the log you saved on your desktop to a reply for me to take a look at. You can attach files to a reply by clicking the More Reply Options to the lower-right of where you type in your reply. When the page loads, there will be a button right below the box to type in (on the left side) that says Choose Files... which will allow you to select the log file to attach it.


  13. Please download GMER from this link. Note that the file will have a random name, so make note of the file's name and save it to the root of your C: drive.

    1. Disconnect from the Internet and close all running programs.
    2. Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
    3. Click on this link to see a list of programs that should be disabled while running GMER (please try to avoid the advertisements on that page).
    4. Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
    5. Allow the driver to load if asked.
    6. You may be prompted to scan immediately if it detects rootkit activity.
    7. If you are prompted to scan your system click "No", save the log and post back the results.
    8. If not prompted, click the "Rootkit/Malware" tab.
    9. On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
    10. Select all drives that are connected to your system to be scanned.
    11. Click the Scan button to begin. (Please be patient as it can take some time to complete)
    12. When the scan is finished, click Save to save the scan results to your Desktop.
    13. Save the file as Results.log and please attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply (you may need to ZIP the log by right-clicking on it, going to Send to, and clicking on Compressed (zipped) folder before you can attach it).
    14. Exit the program and re-enable all active protection when done.


  14. Let just run ComboFix. Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

    Link 1

    Link 2

    * IMPORTANT !!! Save Combo-Fix to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
      See HERE for help
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    RcAuto1.gif

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    whatnext.png

    Click on Yes, to continue scanning for malware.

    When finished, ComboFix will produce a log.

    Note:

    1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

    2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

    Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

    • ComboFix (C:\combofix.txt)

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!


  15. That's the same stuff that ComboFix keeps showing. I doubt that it was actually removed. I need some more information to know what's going on.

    Please download GMER from this link. Note that the file will have a random name, so make note of the file's name and save it to the root of your C: drive.

    1. Disconnect from the Internet and close all running programs.
    2. Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
    3. Click on this link to see a list of programs that should be disabled while running GMER (please try to avoid the advertisements on that page).
    4. Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
    5. Allow the driver to load if asked.
    6. You may be prompted to scan immediately if it detects rootkit activity.
    7. If you are prompted to scan your system click "No", save the log and post back the results.
    8. If not prompted, click the "Rootkit/Malware" tab.
    9. On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
    10. Select all drives that are connected to your system to be scanned.
    11. Click the Scan button to begin. (Please be patient as it can take some time to complete)
    12. When the scan is finished, click Save to save the scan results to your Desktop.
    13. Save the file as Results.log and please attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply (you may need to ZIP the log by right-clicking on it, going to Send to, and clicking on Compressed (zipped) folder before you can attach it).
    14. Exit the program and re-enable all active protection when done.